RBI New Rules April 2026: 2FA Mandate, NBFC TDS & Cash Reporting — A Business Guide

April 2026 was the most consequential regulatory month for Indian businesses in recent memory. The RBI enforced mandatory two-factor authentication (2FA/AFA) on every digital payment, the Finance Bill 2026 introduced 10% TDS on NBFC interest payments above ₹10,000, the new Income-tax Act, 2025 imposed a ₹10 lakh PAN reporting trigger on aggregate cash deposits/withdrawals, and the RBI's E-mandate Framework 2026 reshaped how recurring payments are authorised. If your business takes online payments, pays vendor NBFCs, runs payroll, or handles cash — these changes hit your finance stack this quarter. This guide unpacks each rule, the effective date, and the exact action your team must take.

The 2FA Mandate: Every Digital Payment Now Needs Two Factors

Effective 1 April 2026, the RBI's Authentication Mechanisms for Digital Payment Transactions Directions, 2025 require two independent authentication factors for every customer-initiated digital payment — UPI, debit cards, credit cards, net-banking, and PPI wallets. The framework draws from three identity categories: knowledge (PIN, password), possession (device, token), and inherence (biometric). OTP can still serve as one factor — but never alone. One of the two factors must be uniquely generated per transaction, and the issuer carries full liability for any fraud caused by non-compliance.

What changes for businesses accepting payments

If your business runs a checkout — Shopify, WooCommerce, custom site, payment links — your payment aggregator (Razorpay, Cashfree, PayU, Stripe India) must support AFA across every channel by default. You don't configure 2FA yourself, but you must confirm three things in writing from your PSP:

• The gateway is AFA-compliant for cards, UPI, net-banking, and wallets.
• Your merchant agreement allocates fraud liability correctly (issuer-side after April 2026).
• Checkout-flow abandonment data — RBI's risk-based authentication adds steps for unusual transactions, which can lift drop-off 3-6% on first measurement.

Bulk payments and corporate banking

Corporate treasury teams running bulk payouts via host-to-host integrations, RTGS, NEFT, or UPI corporate must verify their ERP-to-bank pipeline supports AFA at transaction initiation. The most common failure point: legacy SAP/Tally integrations relying on a single API token for batch payments. Talk to your bank's cash-management desk before April closing — non-compliant batches now fail outright rather than process with a warning.

TDS on NBFC Interest: The Finance Bill 2026 Sting

From April 2026, all corporate borrowers and tax-audited individual borrowers must deduct 10% TDS on interest paid to NBFCs where the annual interest exceeds ₹10,000. This is a major change — previously, interest paid to NBFCs (Bajaj Finance, Tata Capital, Mahindra Finance, L&T Finance) was treated similarly to bank interest under Section 194A, but with a much narrower deduction scope. The Finance Bill 2026 closed that gap. Failure to deduct disallows 30% of the interest expense under Section 40(a)(ia) — a real cost, not a procedural slip.

Worked example: ₹50 lakh working-capital loan from an NBFC

A trading firm with a ₹50 lakh working-capital line at 14% interest pays ₹7 lakh in annual interest. If TDS isn't deducted: the firm loses ₹2.1 lakh as disallowance (30% of ₹7 lakh) when filing ITR, effectively raising the loan's tax-adjusted cost from 14% to ~18.2%. Deduction is straightforward — file Form 26Q quarterly, deposit ₹70,000 by the 7th of the following month, issue Form 16A to the NBFC.

What to do this quarter

• List every NBFC vendor — vehicle finance, equipment finance, working capital, invoice discounting.
• Confirm TAN registration is active and the deductee PAN of each NBFC is on file (most NBFCs publish this).
• Update accounting software (Tally, Zoho Books, Vyapar) to auto-deduct 10% from NBFC interest provisions.
• Schedule Form 26Q upload by the 31st of the month following each quarter end.

Need to automate this end-to-end? Tally/Zoho TDS automation can flag interest-bearing NBFC vendors automatically and generate Form 26Q exports.

₹10 Lakh PAN Reporting on Cash & The New Cash Penalty Regime

The Income-tax Act, 2025 (effective 1 April 2026) tightens the cash transaction reporting net. Aggregate cash deposits or withdrawals of ₹10 lakh or more in a financial year across all bank accounts now mandatorily trigger PAN reporting under the SFT (Statement of Financial Transactions) regime. For property transactions, the threshold is ₹20 lakh. The bank reports — but the onus to reconcile sits with the business.

Section 194N: TDS on cash withdrawal — three tiers

For a non-filer business withdrawing ₹1.2 crore in a year, the bank will deduct 2% on ₹20L–₹1cr (₹1.6L) and 5% on the remaining ₹20L (₹1L) — a total ₹2.6L locked up until the next ITR. The fix is mundane but binding: file ITR every year, on time, even if the business has nil tax liability. The 3 prior assessment years are the rolling test.

The cash-payment disallowance, refreshed

Section 40A(3) still disallows cash payments above ₹10,000 per person per day (₹35,000 for transport operators). The 2025 Act preserves this rule with renumbered sections. The practical effect for SMBs with cash-heavy operations — kirana suppliers, daily-wage labour, transport — is that paying anyone more than ₹10,000 in cash in a single day costs you the deduction. Switch to bank transfer or UPI for anything above ₹10,000.

RBI E-mandate Framework 2026: Recurring Payments Reset

On 21 April 2026, the RBI notified the Digital Payments – E-mandate Framework, 2026, consolidating every prior recurring-payment circular into a single rulebook. For any business running subscriptions — SaaS, fitness, OTT, EMIs, insurance — this changes both the mandate UX and the compliance burden. Three rules to internalise:

1. AFA at registration is non-negotiable. Modification or withdrawal also needs AFA — no one-click cancel without authentication.
2. ₹15,000 frictionless ceiling. Recurring debits up to ₹15,000 per transaction execute without per-transaction AFA. Above ₹15,000, the customer gets a real-time AFA prompt.
3. ₹1 lakh carve-out for insurance premiums, mutual-fund SIPs, and credit-card bill payments — these can debit up to ₹1 lakh without per-transaction AFA, reflecting the lower fraud risk of these categories.

The 24-hour pre-debit alert

The issuer must send a pre-transaction notification at least 24 hours before each recurring debit, with full transaction details and a one-tap opt-out. A post-debit confirmation is also mandatory. The auto-replenishment of FASTag and NCMC balances is exempt. For B2C subscription businesses, this notification is now a churn trigger you must plan around — the 24-hour window is effectively a fresh "consider cancelling" prompt every billing cycle.

Subscription business action list

• Audit every recurring SKU — flag those above ₹15,000 to budget for friction.
• Build a value-touch into the 24-hour pre-debit window (delivery confirmation, usage stats, upcoming feature) so the alert lands as confirmation, not as a stop signal.
• Re-mandate customers whose old e-mandates were registered without the new AFA standards by the deadline communicated by your gateway.

NBFC Registration Easing: Effective 1 July 2026

Through directions issued on 29 April 2026, the RBI exempted a class of "Unregistered Type 1 NBFCs" from mandatory registration under Section 45-IA and from the reserve-fund requirement under Section 45-IC, effective 1 July 2026. Eligibility is narrow but useful:

• Asset size below ₹1,000 crore.
• No customer interface.
• No raising of public funds.

Eligible existing NBFCs can apply for deregistration through RBI's PRAVAAH portal by 31 December 2026. For a family-office investment vehicle or a captive financing arm of a larger group, this removes registration overhead. For SMBs borrowing from such entities, due diligence shifts — the lender is no longer RBI-supervised, so loan documentation, KYC, and dispute terms must stand on their own.

Cross-Border Remittances: Easier for Authorised Dealer Banks

The RBI also removed the prior-approval requirement for non-bank entities to form tie-ups with Authorised Dealer (Category I) banks for facilitating outward remittance services. Subject to compliance with non-trade current account remittance directions, fintech players can now plug into AD bank rails without each tie-up being individually approved. For exporters and SaaS companies billing foreign clients, expect faster onboarding to remittance platforms and lower FX spreads as more providers enter the market.

What This All Means: A Sequenced Compliance Plan

Don't try to tackle all of these in one week. The sequence below maps each rule to its hard deadline and the team that owns it:

How Bizeract Can Help

Most of these changes are operational — they break when a vendor master is wrong, a TDS code is missing, or an integration isn't tested. We work with growing businesses on:

• Automating TDS deduction at the vendor-bill stage so NBFC interest never escapes the 10% cut.
• Quarterly TDS return filing (Form 26Q) and Form 16A issuance to NBFC vendors.
• GST and tax registration for new entities that need to onboard AFA-compliant payment rails.
• Subscription retention workflows built around the new 24-hour pre-debit notification window.

Frequently Asked Questions

Q: Is OTP still allowed for digital payments after April 2026?

Yes, but only as one of two factors. OTP alone — without a second independent factor like a device binding, biometric, or PIN — is no longer compliant. Banks and payment platforms have moved to OTP-plus-biometric or device-plus-PIN combinations to satisfy the AFA standard.

Q: Does the 10% TDS on NBFC interest apply to small proprietorships?

Only if the proprietorship was subject to tax audit in the preceding financial year (turnover above ₹1 crore for business or ₹50 lakh for profession). Non-audit individuals and HUFs are outside the TDS net for NBFC interest, but other Section 194A rules still apply.

Q: What happens if I forget to deduct TDS on NBFC interest?

Two consequences. First, 30% of the interest expense is disallowed under Section 40(a)(ia), raising your taxable profit. Second, interest at 1% per month on the un-deducted amount under Section 201 applies until paid. The disallowance is the bigger hit — for a ₹10 lakh annual NBFC interest, forgetting TDS costs ₹3 lakh in additional tax base.

Q: Do recurring SIPs above ₹15,000 still work without per-transaction AFA?

Yes. Mutual fund SIPs, insurance premiums, and credit-card bill payments enjoy a higher ₹1 lakh ceiling without per-transaction AFA — recognising their lower fraud profile. The one-time AFA at mandate registration is still required.

Q: My business deposits ₹2 lakh in cash weekly. Am I caught by the ₹10 lakh PAN rule?

Yes. The rule is on aggregate cash deposits or withdrawals across all your accounts in a financial year. ₹2 lakh weekly crosses ₹10 lakh in five weeks. The bank reports the SFT entry to the IT department; you must ensure the deposits reconcile to declared business turnover in your books and GSTR-1/3B. Mismatches are the most common trigger for IT scrutiny notices.

Q: I borrow from a friend's NBFC. Will it still be RBI-supervised after July 2026?

Only if it exceeds ₹1,000 crore asset size, has a customer interface, or raises public funds. Smaller family-office or group-captive NBFCs can deregister. Practical impact: tighten your loan agreement yourself — interest rate, repayment schedule, dispute resolution — since RBI's fair-practices code may no longer apply to your lender.

Q: Do these rules affect FY 2025-26 ITR filing (due July 2026)?

No. The new TDS rules, AFA mandate, and PAN reporting changes apply prospectively from 1 April 2026 onwards. FY 2025-26 ITR (filed July 2026) follows the existing rules under the 1961 Income-tax Act. The new rules are first reflected in advance-tax instalments and TDS deductions for tax year 2026-27.

The Bottom Line

April-May 2026 isn't a routine compliance cycle. The 2FA mandate, NBFC TDS, cash-reporting thresholds, and e-mandate framework collectively reshape how money moves into, out of, and inside Indian businesses. Each rule has a narrow, fixable break point — a missing TAN, an un-deducted invoice, a legacy payment API. Fix them sequentially before the first quarterly close under the new regime and the rest of FY 2026-27 runs clean. Skip them, and the first SFT notice or 40(a)(ia) disallowance will cost more than the work would have.

Sources: RBI Authentication Mechanisms for Digital Payment Transactions Directions, 2025; RBI Digital Payments — E-mandate Framework, 2026 (21 April 2026); Finance Bill 2026; Income-tax Act, 2025; CBIC SFT notifications; RBI NBFC Directions (29 April 2026); CAclubindia, India Briefing, Business Standard May 2026 coverage.